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(54) Accelerated finite field operations on an elliptic curve 

(57) A method for multiplication of a point P on ellip- 
tic curve E by a value k in order to derive a point kP 
comprises the steps of representing the number k as 
vector of binary digits stored in a register and forming a 
sequence of point pairs (PI, P2) wherein the point 
pairs differed most by P and wherein the suc- 
cessive series of point pairs are selected either 
by computing (2mP.(2rm-1)P) from (mP,(m+1)P) or 
((2m+1)P.(2m+2)P) from (mP,(m+1)P). The computa- 
tions may be performed without using the y-coordinate 
of the points during the computation while allowing the 
y-coordinate to be extracted at the end of the computa- 
tions, thus, avoiding tiie use of inversion operations dur- 
ing the computation and therefore, speeding up the 
cryptographic processor functions. A method is also dis- 
closed for accelerating signature verification between 
two parties. 
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E>escription 

This invention relates to a method of accelerating operations in a finite field, and in particular, to operations per- 
formed in a field 

such as used in encryption systems. 
BACKGROUND OF THE INVENTION 
Rnite fields of characteristic two in 

are of Interest since they allow for the efficient implementation of elliptic curve arithmetic. The field 

can be viewed as a vector space of dimension m over F^- Once a basis of 

over F2 has been chosen the elements of 

can be conveniently represented as vectors of elements zero or one and of length m. In haidware, a field element 
stored in a shift register of length m. Addition of field elements is performed by bitwise XOR-ing (0) the vector 
representations and takes one dock cycle. 

Digital signatures are used to confirm that a particular party has sent a message and that the contents have not 
been altered during transmission. 

A widely used set of signature protocols utilizes the EIGamal public key signature scheme that signs a message 
with the senders private key. The recipient may then verify the signature with the sender's public key. 

Various protocols exist for implementing such a scheme and some have been widely used. In each case however 
the recipient is required to perform a confutation to verify the signature. Where the recipient has adequate computing 
power this does not present a particular protrfem but where the recipient has limited computing power, such as in a 
"Smart card " application, the computatior^ may introduce delays in the verification process. 

Public key schemes may be implemented using one of a number of groups in which the discrete log problem appears 
intractable but a particularly robust implementation is that utilizing the characteristics of poirrts on an elliptic curve over 
a finite field. This implementation has the advantage that the requisite security can be obtained with relatively small 
orders of field compared with for example with implementations in Zp' and therefore reduces the bandwidth required for 
communicating the signatures. 

In a typical innplementation a signature component s has the form: 

s = ae + k (mod n) where: 

P is a point on the curve, which is a predefined parameter of the system; 

k is a random integer selected as a short term private or session key, and has a corresponding short term public 
key R = kP : 

a is the long term private key of the sender and has a conesponding public key aP = Q ; 

e is a secure hash, such as the SHA hash function, of a message m and short term pxMxc key R; and 

n is the order of the curve. 
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The sender sends to the recipient a message including m. s. and R and the signature is verified by computing the value 
R- - (sP-eQ) which should correspond to R. If the computed values are equivalent then the signature is verified. 

In order to perform the verification it is necessary to compute a number of point multiplications to obtain sP and eQ. 
each of <^^ich is coiT^^^ over F, can be divided into two classes, namely supersingular and non- 

supersingular curves. If is of characteristic 2. i.e. q = 2'^. then the classes are defined as follows. 

0 The set of all solutions to the equation + ay = / * bx * c where a.b,c e F^.a^O, together wHh a special 
DOint called the point at infinity O is a supersingular curve wer F,. ^ ■ , 

S^Sesetof all Sutions tothe equation y^ xy = x% ax^' +b where a.b . F,.fMO.together with a special point 
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called the point at infinity O is a nonsupersingular curve over Fq. 



By defining an appropriate addition on these points, we obtain an additive abelian group. The adcfition erf two points 
P(x, y,) and Qfey^foTthe supersingular elliptic curve £ with + ay + + c is given by the following:- 
i;p = {x,yf)V£;thendefine-P = (x,.y, + a).P+0 = ^ ^, ^ ^ 

If Q = (x^.y p) 6 E and O * - P , then the point representing the sum of P + O. is denoted (xg.yg). where 
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The addition of two points P(x,.y,) and 0(xp.y2) for the nonsupersingular elliptic curve y^ ^ xy = ^ + ^ +b 
isgKjenby thefo^^^^^^^ - P - (x,.y, . x,) . For all P e E. O. P = P .O = P. K Q = (x,.y,) . E and 

Q^- P. then P + Q is a point (x^.y^). where 
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X3 ^ 



or 



]and 



'yi^y@yi^Bx,®x,®a (p^o) 



(P=Q) 




or 




yMx]®\x,®^\®X3®xs (P=Q) 



Now supersingular curves are preferred, as they are more resistant to the MOV attack. It can be seen that comput- 
ing the sum of two points on £ requires several multiplications, additions, and inverses in the underlying field 

In turn, each of these operations requires a sequence of elementary bit operations. 

When implementing cryptographic operations in EIGamal or Diffie-Hellman schemes or generally most crypto- 
graphic operations with elliptic curves, one is required to compute /cP = P + P + ... + P (P added k times) where /c is 
a positive integer and P € E. This requires the conputation of (xa^ya) to be computed k-1 times. For large values of k 
which are typically necessary in cryptographic applications, this has previously been considered impractical for data 
communication. If Ac is large, for example 1024 bits. kP would be calculated by performing Z^^^^ additions of P. 

Furthermore, in a multiplicative group, multiplications and inversions are extremely computationally intensive, with 
field inversions being more expensive than field multiplications. The inversion operation needed when adding two points 
can be eliminated by resorting to projective coordinates. The formula for addition of two points however, requires a 
larger number of multiplications than is required when using affine coordinates. 

In a paper entitled "Elliptic Curve Cryptosystems and Their Implementation" by Vanstone et al., published in The 
Journal of Cryptology, a method is described for adding two points by converting to projective coordinates and thus 
eliminating the inversion computation. However, the overall gain in speed by elimination of the inversion is at the 
expense of space. Extra registers are required to store P and Q and also to store intermediate results when doing the 
addition. Furthermore, this method requires the use of the y-coordinate in the calculation. 

SUMMARY OF THE INVENTION 

It is therefore an object of the present invention to provide a method and apparatus in which some of the above dis- 
advantages are obviated or mitigated. 

It is a further object of the invention to provide a method of multiplying finite field elements, and which may be imple- 
mented relatively efficiently on a processor with limited processing capability, such as a smart card or the like. 
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It is a still further object of the present invention to provide a method and apparatus in wrtiich signature verification 
may be accelerated in elliptic curve encryption systems. 

In accordance with this invention there is provided a method of determining a muHiple of a point P on an elliptic 
curve defined over afield F2M. said method comprising steps of 

a) representing the number kasa vector of binary digits kf. 

b) forming a pair of points P, and P2. wherein the point P, and P^ differ at most by P; and 

c) selecting each of the kj in turn and for each of the kj. 

upon the fc, being a one. adding the pair of points P, and Pg to form a new/ point P, and adding the point P to 
P, to form a new point P^, the new points replacing the pair of points P, and P?; or 

upon the /(; being a zero, doubling the point P, to form a new point P, and adding the point P to form a new 
point Pg. the new points replacing the pair of points P, and Pg. whereby the product kP is obtained from the 
point P, in M-1 steps arxl wherein M represents the number of digits in k. 

Furthermore, the inventors have implemented a method whereby computation of a product kP can be performed 
without the use of the y coordinate of the point P during computation. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Embodiments of the present invention will now be descrit>ed by way of example only wnth reference to the accom- 
panying drawings in which: - 

Figure 1 is a schematic represaitation of a data communication system; 
25 Figure 2 is a schematic diagram of an enayption/decryption unit; 
Figure 3 is a flow chart for computing a multiple of a point; 
Figure 4 is allow chart showing the extraction of an y-coordinate: and 
Figure 5 is an illustration of an embodiment of the present invention. 

30 DETAILED DESCRIPTION OF A PREFERRED Ef^BODIMENT 

Referring to Rgure 1. a data communication system 2 includes a pair of con-espondents. designated as a sender 
10 and a recipient 12, connected via a communication channel 14. Each of the correspondents 10. 12 includes an 
enl^on/decryption unit 16 associated therevtrith that may process digital information and prepare it for transmission 
through the channel 14 as will be desaibed below. The encryption/decryption units implement amongst, others key 
exchange protocols and an enayption/decryption algorrthm. _ . 

The module 16 is shown schematically in Figure 2 and includes an arithmetic logic unit 20 to perfomi the compu- 
tations including key exchange and generation. A private key register 22 contains a private key. d. generatol for exam- 
ple as a 155 bit data string from a random number generator 24. and used to generate a public key stored in a public 
40 key register 26 A base point register 28 contains the co-ordinates of a base point P that lies in the elliptic curve selected 
with each coordinate (x. y). represented as a 1 55 bH data string. Each of the data strings is a vector of binary digrts with 
each digrt being the coefficient of an element of the finite field In the normal basis representation of the co-ordinate. 

The elliptic curve selected will have the general form y^ + xy = x% ax'^ + b and the parameters of that curve, 
namely the coefficients a and b are stored in a parameter register 30. The contents of registers 22. 24. 26. 28. 30 may 
45 be transferred to the arithmetic unrt 20 under control Ota CPU 32 as required 

The contents of the public key register 26 are also available to the communication channel 14 upon a suitable 
request being received. In the simplest implementation, each encryption module 16 in a common secure zone will oper- 
ate with the same curve and base point so that the contents of registers 28 and 30 need not be accessible. If further 
sophistication is required, however, each module 1 6 may select its own curve and base point in which case the contents 
50 of registers 28. 30 have to be accessible to the channel 14. 

The module 1 8 also contains an integer register 34 that receives an integer k. the session seed, from the generator 
24 for use in encryption and key exchange. The module 1 6 has a random access memory (RAM) 36 that is used as a 
temporary store as required during computations. 

In accordance with a general embodiment, the sender assembles a data string, which includes amongst others the 
public key Q of the sender, a message m. the senders short term public key R and a signature component s of the 

sender. When assembled the data string is sent over the channel 4 to the intended recipient 1 2. 

For simplicity it will be assumed that the signature component s of the sender 1 2 is of the form s = ae + k (mod n) 
as discussed above although it will be understood that other signature protocols may be used. To verify the signature 
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sP-eQ must be computed and corrpared with R. 

Thus a first step of the recipient is to retrieve the value of Q from the string, A hash value e may also be computed 
from the message m and the coordinates of the point R. The recipient is then able to perform the verification by com- 
puting sP and eQ. 

In order to accelerate the calculation of sP or eQ the recipient may adopt the following to calculate the coordinates 
of the new point sP. in order to avoid performing the several multiplications, additions and irrverses in the underlying field 
?2^. The recipient may calculate sP by resorting to the expedient of a •'double and add" method as shown in figure 3. 

Referring to figure 3 one emtxxJimerrt of the invention illustrating a •dout)le and add" method for multiplication a 
point P on an elliptic curve £ by a value k in order to derive a point kP is implemented by initially representing /c in its 
binary form. Next a successive series of point pairs (mP, (n>^•1)P) are set upi Each successive digit of k is considered 
in turn, upon the occurrence of a zero value digit in the binary representation of /c. the first of the pair of points is doubled 
and orie is added to the second of the pair of points i.e compute (2mP.(2nH.1)P) from (mP,(m+l)P). Alternatively upon 
the occun-ence of a one value in the binary representation of /c. the first of the pair is formed from the sum of the previ- 
ous pair of points and the second of the pair is formed by adding one to the first of the pair i.e. compute 
((2m+1)P.(2nr>+2)P) from (mP.(m+1)P). 

This is illustrated in the following short exannple: in which ^ = 23. The value of k may be represented in binary as 
pairs (1101 1). Applying the above rule to a pair of points (P. 2P) we get the successive sequence of point. (2P, 3P)\ 
(5P, 5P): ( 7 7P, 12P)\ and finally (23P. 24P), The first of the pair is thus the required point. 

Thus, it may be seen the final result 23P is obtained by performing a series of ''doii>le and add" operations on a 
pair of points in the field wherein the pair of points in a given pair differ by R Furthermore the number of "double and 
add" operations equals at most one less than the number of bits in Ac i.e. (m - 1) times. This method of "double and add" 
has a distinct advantage for large values of k in reducing the nurr^er of operations to be performed by a processor. This 
may be contrasted with performing k double and adds on a single point P as described earlier in the background of the 
invention. 

Turning back to the calculation of sP and eQ. the recipient may thus apply the above en^xxdiment to calculating sP 
for the nonsupersingular elliptic curve y^ + -xy = jf +^ +£),E defined over 



If p^^(x^^y^) and P2 = (X2.y2). Pi^±P2. are points on the curve E then we can define 
+P2 = (X3, yg) where. 

X3 = + X + + X2 + a (1) 

wherein the slope of the curve is given by: 

y2 + /i 



X2 + 



Similarly, if -Pg = (X2. y2+X2) and ^1-^2 = (^4* then, 

X 

{x^ + x^y ^i-^^z 



x^ = X^ + 1 + x^ + X2+ a = X^ + ^^—j + X + ^ + x^ + + a (2) 



where 



■ yg Xg +yi X2 ^ ^ 

Xg "t" X^ Xg + X-^ 



if we add X3 and X4 then. 
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X ^2 _ ^1^2 (3) 

To compute the x-coordinate X3 of (P, + P2 ) we only need the x-coordinates of P, P2 and (P, '^2). J^e^er ^ 
comp^ion is not optimally efficient as it requires inversions. It may also be noted that the y-coord.nate is not needed 

"^R^eS ^r^^ figure 2. the value kP may be calculated using the "double and add« method. Whenever a new 
oair of points is computed the addition formula of equation (3) above is used and this is done m tmes. 
^ ?hS haveTformula for X3 Involving x,. x^ and X4. Unfortunately, this formula mclud^ an inversion, which .s 
costly. We can modify this equation as follows, suppose the values of x^, xg and X3 are given by 
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Where of x,. x^. X3 z,. z^. 23 are values maintained during the double and add algorithm. Then substituting these new 
representations into formula (3), we find 

^ " ^ l2j2 " '''' (X1Z2 + X2Z,)'' (X1Z2 + XgZ,)^ 

Zi Z2 

Therefore, if we take X3 = (x,z, .x,z,)^ .x^x^z^z^-and ^3 = ^^^ ^^f £jf;„'f 
ble & add" algorithm of figure 3 (using this new representation) and avoid the computation of an inversion for most of 

'"^ Rom^Siatons for X3 and Z3 above it may be seen that X3 may be calculated by performing at most four multiplica- 

SrSrn of the points P, and are expressed in temns of X3 and Z3 is obtained without having to perform a rela- 
tively c^t^r^iwers^ron the x-coor^inate. and can be computed using at most four multipli^ and two sQuar^- The 
remL^SS «^atbns of addition and squaring are relatively inexpensive with regard to computational power. The com- 
pSon ofThlterm (x.z, . x.z,)^ is obtained by a cyclic shift of the normal '--^[^P^-^^"'^;^^^^^^^^^^ 
parentheses for which a general-purpose processor can perform relatively easily. At the end of the algorithm we can 

^""^Sfe'Tr^grS ""^^^X^^^^^^^^ Point P (x. yO. -et 2(x,. y = (X3. y,) then as t^ore « the 
equa^irr^eXc cSrve Eis given by y% ;<y = x% ax=^ . over Fa", the x-coordinate of the point 2P « repre- 
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X« = X, + 



2 b 



1 ^ 2- 



X 



Once again representing the coordinates in terms of the projective coordinates we obtain 

4 4 

X3 = Xi +bz^ 



50 and 
55 or 

X3 = (>fi +4>/bZi) 
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By making b relatively small the computationally expensive operations may be reduced to approximately one mul- 
trplication operation for the Z3 term. We can precompute 

and calculate X3 according to the last equation, thus requiring two less squares. Alternatively, as mentioned earlier in a 
normal basis representation the computation of x/ and z/ is obtained by two cyclic shifts of the representation of the 
respective values, while {x^z^f Is obtained by a single cydic shift of the product. 

Applying the earlier outlined •doii)le and add" method of figure 3, we observe that for a scalar k of m bits and cal- 
culation of kP defined over requires at most (nrvl) double and add operations. From the above discussion a dout>le 
operation on points of an elliptic curve are achieved by performing at most two multiplication operations, while the add 
operation is achieved by performing at nnost four multiplication operations. Thus to comptrte the x-coordlnate of kP 
using the method of this invention would require at most six times (mO) multiplication operations. 

Once the x values have been calculated, as above, y-coordinate values may also be determined. However, for each 
x-coordinate there exists at most two y-coordinates. For example, in the final step of obtaining a point 24P. both points 
23P and P would be known, since 24P may be expressed as 23P + P = 24P . Assume the x-coordinate X23 of the point 
A = 23P have been obtained as described earlier. Then, by substituting X23 into the elliptic curve equation E and solving 
the resulting quadratic equation, two values of y are obtained corresponding to points A=(X23. y23 ) ^ 
B = (x 23. y 23 ) • Next, by substitution, the x-coordinate X24 obtained through calculating 24P = P + 23P Into the ellip- 
tic curve equation will produce two points (X24. y24^^^) and (X24, y24^^^)- The two points thus obtained are stored. To the 
point A + B are added, point P using ordinary point addition to produce conresponding points A-i- P = (Xg. Vg) and 
B + P = (Xt^, y , respectively. Point (x^, yj is compared to points (X24, y24^^^ ard (X24. y24^^^). respectively. If none of 
the points match, then (x^ yj is the correct point othenwise (x^. yj is the conect point. Thus, it may be seen that mul- 
tiples of a point P may be easily calculated wvithout knowing the y-coordinate and. furthermore, the y-coordinate may be 
obtained at the end of the calculation, if so desired. 

Thus, for example refening back to the EIGamai scheme for elliptic curves one Is required to compute 
r = /cP =(x,y). In this case one can drop the y-coordinate and produce a hash of a message m and the x-coordinate 
e = h(m//x) . The sender then sends to a redpient a message Including a signature s and the hash e. The signature s 
has the form s = (de + k) mod n , where d is the private key of the sender and k is a random number generated by the 
sender. The recipient then verifies the signature by calculating sP -eQ = r . Both sP and eQ may be calculated by utiliz- 
ing the "double and add" method of this Invention. The x values of sP and eQ each produce two possible values of y: 
(^1. y^^% i^v y^^^^) (^2. y2^^^)* (^2. vJ^^) when substituted back into the elliptic curve equation E. When the point 
subtraction is performed between permutations of these points, the conect y will thus produce the appn^priate matching 
r. If none of these substitutions produce a matching r, then the signature is not verified. 

Referring to figure 4. a schematic diagram of a further method for determining the y-coordinate of kP derived 
according to tiie method described with respect to figure 3. and given the point P = (x. y) and the x-coordinate x of (k- 
1)F and x' of kP is shown generally by numeral 50. As may be noted with respect to figure 3 in computing the x-coor,- 
dinate of kP the x-coordnale of (^c-7)P is also calculated. ' 

Thus, initially substitute into the elliptic curve equation to obtain a value of / such that the point (x'.y*) is on the 
curve. Next at step 54 assign the point Q to (x .y'). Next conplete a point Q-P = (x",y") by sinple point subtraction 55. 
The derived x-coordinate x" is compared to the x-coordinate xof (k-1) at step 56 and if x" = x. then y' is the y-coordi- 
nate of /cP, othenrtrise / is the y-coordinate of -/cP. It may be noted that this nr>ethod works if 0 < k < order of point P. 

Utilizing the method of the subject invention to compute fcP it is also possible to compute {k+1)P such that the x- 
coordinates on kP and {k+ 1)P are available. In this case the y-coordinate may be derived by computing Q+P = (x", y") 
and comparing the coordinate x" to the x-coordinate of (/c+ 7)P. 

Referring to figure 5. a further application of an embodiment of the invention to verification of elliptic curve signa- 
tures is indicated generally by numeral 70. Once again it is assumed that the first correspondent 10 includes a private 
key random integer d and a corresponding public key Q derived from computing the point Q ~ dP. In order to sign a 
message M. a hash value e is computed from the message M using a hash function H. Next, a random integer k is 
selected as a private session key. A corresponding public session key kP is calculated from the random integer k. The 
first correspondent then represents the r-coordinate of the point kP as an integer z and tiien calculates a first signature 
connponent r = z mod n . 

Next, a second signature component s = k'\e + dr) modn is also calculated. The signature components s and 
r and a message M is then transmitted to the second conrespondent 12. In order for the second correspondent 12 to 
verify the signature {r,s) on the second con-espondent looks up the public key Q of the first correspondent 1 0. A hash 
of the message M is calculated using the hash function H such that e* = H(M) . A value c = s ' mod n is also cal- 
culated. Next, integer values and are calculated such that Uj=e'c mod n and u2 = rc mod n . In order that tiie 
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sianature be verified, the value u,P + UsQ must be calculated. Since P Is known and is a system wide Parameter, the 
value u,P may be computed quickly using pre-computed multiple of P. For example, these values may be co^b'ned 
from a pre-stored table of doubles of P. i.e. 2P. 4P. 8P. etc. On the other hand hcwever. the point Q is current and var- 
ies from user to user and. therefore, the value u^Q may take some time to compute and generally cannot be pre-com- 

''"*^owever by resorting to the expedient of the method disclosed in the subject invention, verification of the signature 
may be signiiicantly accelerated. Normally, the point = u,P + u^O is computed. The field e'^ment x of the point 
R = (X y) is converted to an integer z. and a value v = z mod n iS computed. H v = r . then the signature is valid 

Alternatively, a technique which takes advantage of "double & add" to compute U2Q if the modular inverse of is 
calculated u ,* = u , mod n . then R can be expressed as U2(u, *P + Q). i.e. making use of the "dentty u u =1. 

value u^'u^' is an integer and. therefore, may be easily computed. Thus, the point u, u^^P may be easily calculated 
or assembli from the previously stored values of multiples of P. The point Q is then added to the point u, Ug P. which 
is a single addition, to obtain a new point fl". .,^1. .0 „ o- Thic 

Thus in order to verify the signatures, the recipient need only to determine the x coordinate of the ^a ue t/sfT. This 
calculation may be performed usmg the "double and add" method as described wHh reference to f^ure 3. If this is equal 
to r then the signature is verified. The resulting value is the x-coordinate of the point u,P + u^Q- The value v = x mod n 
is computed and verified against r. It may be noted that in this scheme, the y-cooidinate is not used in ^'9n^";e g^e^ 
ationT verification and. hence, computing is not mandatory. However, alternative schemes for boU^ 

may be utilized in these cases and the y coordinate may be derived as described earlier or the two y^"^^^^^'' 
re^nding to thegivenx-coordinatemay be calculated and each used to attempt to verrfythesignature.ShouW^^ 

SSv this comirison. then the signature is invalid. That Is. since verification require; compLrting the point 
R = U P + U Q This can be done as foltows. Transmit only the X coordinate of Q. compute the x-coordinate of U2Q.. 
by using either the "double & add" of figure 3 or on E(Fp). Try both points corresponding to this x-coordinate to see rf 

^■^^ fiXriS back to figure 1 if keys are transferred between the correspondents of the form kP then to reduce the 
bandwidth It is possible for the sender to transmit only one of the co-ordinates of kP and compute the ^J^er co-ordinate 
at the receiver ^example if thef ield elements are 155 bits for F^^^, an identrfier. for example a single bit o^he cor- 
rect value of the other co-ordinate, may also be transmitted. This permits the possibilities for the second co-ordinate to 
be computed by the recipient and the conect one identified from the identifier. ^„ , • , = Ki4 

Rderring therefore to Figure 1 . the transmitter 10 inrtially retrieves as the public key dP of the receiver 12. a bit 
string representing the coordinate xo and a single bit of the co-ordinate yo- ,^.h.. 

Thetransmitter 1 0 has the parameters of the curve in register 30 and therefore may use the co-ordinate Xo and the 
curve parameters to obtain possible values of the other co-ordinate yo from the arithmetic unit 20. 

FoTa ojrve of the form y ^ + xy = x ^ ax ' + b and a co-ordinate xp. then the possible values y, .ya for yo are the 

" By sS^fort int^^^^^^^^^^^^ un;SC;,^>ssible roots will be obtained and comparison with the transmitted bit 
of information will indicate which of the values is the appropriate value of y. 

ThetwopossiWevaluesofthe second co-ordinate (yo) differ by xo.i.e. y, = y 2+^0 ■ Since the two values ofyodrf 
fer by xn theny, and y, will always differ where a "1" occurs in the representation of Xo- Accordingly the addrtonal bit 
40 transS'ed is selected from one of those positions and examination of the corresponding bit of values of yo. will indicate 
which of the two roots is the appropriate value. ^ ^ , , « kh.. rotri«/.^ 

The receiver 10 thus can generate the co-ordinates of the public key dP even though only 156 bits are retr wed^ 
Similar efficiencies may be realized in transmitting the session key kP to the receiver 1 2 as the transmitter 1 0 need 
only forward one coordinate, xo and the selected identifying bit of yo- The receiver 12 may then reconstruct the possible 
45 values of yo and select the appropriate one. 
In the field 

Fr 



25 



30 



SO 



it is not possible to solve for y using the quadratic formula as 2a = 0. Accordingly, other techniques need to be utilised 
and the arithmetic unit 20 is particularly adapted to perform this efficiently. 2 ^. ^ -^^^ 

.„ „«„»,oi nH^ V. ic not ^ero if v=x .z then x„ ^z ^ -I- X „ = x^ o + ax,, + b . This may be written as 



In general provided xq is not zero, if y=x ^z then x,, z +Xo z = x o + ax^ 
^ z^-HZ = Xo + a+-|-l=c. 
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25 



i.e. + 2 = c. 



Hmisoddthenerther 2 = c + cVc''® + ... + c^"^^ or z = 1 +c + + c^"^^ to provide two possible val- 

ues for Vq. 

A similar solution exists for the case where m is even that also utilises terms of the form 



10 This is particularly suitable for use with a normal basis representation in 



As noted above, raising a field element in 

to a power g can be achieved by a g fold cyclic shift where the field elemertt is represented as a normal basis. 

Accordingly, each value of z can be computed by shifting and adding and the values of y© obtained. The correct one 
of the values is determined by the additional bit transmitted. 

The use of a normal basis representation in 



therefore sinrpfrfies the protocol teed to recover the co-ordinate Vq. 
30 If P = (Xq y o) is a point on the elliptic curve E:y^ + xy = x + ax^ + b defined over 
a field 



35 

then yo is defined to be 0 if xq = 0; if xq ?6 0 then yo is defined to be the least significant bit of the field element yo • xq*'' * 
The x-coordinate xq of P and the bit yo are transmitted between the transmitter 10 and receiver 1 2. Then the y-coor- 
dinate yo can be recovered as follows. / 

40 1 . If Xq = 0 then yo is obtained by cyclically shifting the vector representation of the field element b that is stored in 
parameter register 30 one position to the left. That is. Mb- b^.^b^.z-b^^o / = ••^i^o'^m-i 
2. If Xq 5^ 0 then do the following: 

2.1 Compute the field element c = x^ + a + bXQ in F2'". 
45 2.2 Let the vector representation of c be c = c^.^ 0^-2— CiCo. 

2-3 Construct a field element z = z ^.^ z ^-2 0 setting 



so 
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zo=y 0, 

Zi = Co © Zo, 
Z2 = Ci © Zi, 

Zro-2 — Cm-3 © Zro-3, 
Zm-1 — Cm-2 © 2ro-2. 



75 2.4 Rnally, compute y q = * z • 

It will tDe noted that the computation of can be readfly computed in the arithmetic unit 20 as described above 
and that the computation of yo can be obtained from the multiplier 48. 

In the above examples, the identification of the appropriate value of yo has been obtained by transmission of a sin- 

20 gle bit and a conparison of the values of the roots obtained. However, other Indicators may be used to identify the 
appropriate one of the values and the operation is not restricted to encryption with elliptic cun^es in the field GF(2"^. 
For example, if the field is selected as 2p p = 3(mod 4) then the Legendre symbol associated with the appropriate value 
could be transmitted to designate the appropriate value. Alternatively, the set of elements in Zp could be subdivided into 
a pair of subsets with the property that if y is in one subset, then -y is in the other, provided y^. An arbitrary value can 

25 then be assigned to respective subsets and transmitted with the co-ordinate xq to indicate in which sublet the appro- 
priate value of yo is located. Accordingly, the appropriate value of yo can be determined. Conveniently, it is possible to 
take an appropriate representation in which the subsets are arranged as intervals to facilitate the identification of the 
appropriate value of yo. It may be noted that one of the methods described earlier may also be sued to derive the coor- 
dinate. 

30 These techniques are particulariy suitable for encryption utilizing elliptic curves but may also be used with any alge- 
braic curves and have applications In other fields such as error correcting coding where co-ordinates of points on 
curves have to be transferred. 

It will be seen therefore that by utilising an elliptic curve lying in the finite field GF2'" and utilising a normal basis 
representation, the conputations necessary for encryption with elliptic ounces may be efficiently performed. Such oper- 

35 atlons may be implemented in either software or hardware and the structuring of the computations makes the use of a 
finite field multiplier implemented in hardware particularly efficient. 

The present invention is thus generally concerned with an encryption method and system and particularly an elliptic 
cun^e encryption method and system in which finite field elements is multiplied in a processor efficient manner. The 
encryption system can comprise any suitatjie processor unit such as a suitably programmed general-purpose conrpu- 

40 ter. 

Claims 

1 . A method of determining a multiple of a point P on an elliptic curve defined over a field 



said method comprising steps of: 

(a) representing the number /c as a vector of binary digits /f,; 

(b) forming a pair of points P-i and P^, wherein the point and Pp differ at most by P; and 

(c) selecting each of sakJ kf in turn and for each of said kf, 

upon said kj being a one. adding said pair of points Pi and P2 to fomn a new point P, and adding said point 
P to Pt to form a new point P^, said new points replacing said pair of points P, and P^; or 
upon said kj being a zero, doubling said point P^ to form a new point P^ and adding said point P to form a 
new point P^. said new points replacing said pair of points Pt and P^. whereby said product kP is obtained 
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from said point P, in /W-1 steps and wherein M represents the number of digits in k, 

2. A method as described in claim 1 . said elliptic curve being of the form y ^ + xy = + ax^ + and said field being 
selected to have elements 

A'(o<i<m) 

that constitute a normal basis. 

3. A method as described in daim 2. including the step of representing the co-ordinates of a point on said curve as a 
set of vectors, each vector representing a co-ordinate of said point and having m binary digits, each of which rep- 
resents the coefficients of 

a' 

in the normal basis representation of said vector. 

4. A method as defined in claim 3» said adding of points and Pg utilises only said x co-ordinates of said points P^ . 
Pg. arKj PrP2- 

5. A method as defined in claim 4. said x co-ordinate of said added points is obtained by computing 

(X^-HXg) 

where .X2 are the x coordinates of Pi and P2, X3 is the x coordinate of P-|+ P2 and X4 is the x coordinate of Pr Pa- 

6. A method as defined in claim 5. including converting said coordinates to projective coordinates. 

4 4 

7. A method as defined in claim 6. said coordinate X3 being obtained by computing X3 = x^ + nz , . 

8- A method as defined in claim 4, including computing a y coordinate of said point kP from said x coordinate by uti- 
lising an X coordinate of said point (k-1 )P and said point kP. 

9. A method as defined in claim 8, including computing a y coordinate of said point kP by substituting said x coordi- 
nate of kP in said elliptic curve equation.. 

1 0. A method of transfemng the co-ordinates of a point on an algebraic curve between a pair of correspondents con- 
nected by a data communications link comprising the steps of fonwarding from one correspondent to another a co- 
orclinate of said point, providing at said other correspondent parameters of said algebraic curve, and computing at 
said other correspondent said other co-ordinate from said one co-ordinate and said algebraic curve. 

1 1 . A method according to claim 1 0 including the step of fonwarding with said one co-ordinate identifying information of 
said other co-ordinate and utilising said identifying information and a discriminating function to determine the 
appropriate value of said other co-ordinate. 

12. A method according to claim 11 wherein said identifying information is a digital bit of said other co-ordinate that 
identifies the appropriate value of said other co-ordinate. 

1 3. A method according to claim 1 2 wherein said algebraic curve is an elliptic curve of the form y +xy = x +ax +b 
and said other co-ordinate is determined by solving a quadratic equation to provide two possible values of said 
other co-ordinate, said identifying information indicating tine appropriate one of said values. 

14. A method according to claim 13 wherein said identifying information is a digital bit of said otiier coordinate that 
identifies the appropriate value of said other co-ordinate. 
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15. A method according to daim 14 wherein said algebraic curve is an elliptic curve oftheformy^+xy = x^ + ax + b 
defined over a finite field F2"'. 

1 6 A method according to claim 15 including the step of fon/varding with said one coordinate identifying information of 
5 ' said other coK)rdinate and utilising said identifying information and a discriminating function to determine the 
appropriate value of said other co-ordinate. 

17. A method according to daim 16 wherein said field has field elements 
that constitute a normal basis. 

75 18 A method according to daim 17 wherein said other coK>rdinate is determined by solving a quadratic equation to 
' provide two possible values of said other co-ordinate, said identifying information indicating the appropriate one of 
said values. 

19. A method according to daim 18 wherein said quadratic equation is solved by summing terms of the form 



20 



from g = 0 to g = m-1 where 



25 



30 



c = + a + 

^1 



and xq is said one co-ordinate. 
20. A method according to daim 19 wherein terms of the form 

35 

are otrtained by g fold cydic shifts of the normal basis representation of c. 

40 21. A method according to claim 20 wherein said algebraic curve is defined over the field Zp and said identifying infor- 
mation indicates the Legend symbol of the appropriate value. 

22 A method according to claim 2 1 wherein said curve is defined over the field zp and the elements thereof subdivided 
' into a pair of subsets, one of which contains one possible value and the other of which contains the other possible 
value, said indicating information identifying the subset containing the appropriate value. 



45 



50 



23. A method of encrypting data using the method of any preceding daim. 

24. Encryption apparatus for encrypting data comprising: 

input means for inputting data; 
encryption means for encrypting the data using the method of any preceding daim; and 
output means for outputting encrypted data. 

55 25. A signal representing data encrypted using the method of any one of claims 1 to 23. 

26. Apparatus for determining a multiple of a point P on an elliptic cun/e defined over a field 
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the apparatus comprising: 

(a) means for representing the number k as a vector of binary digits /c/; 

(b) means for forming a pair of points and P^. wheran the point Py and P^ differ at most by P; and 
(b) means for selecting each of said in turn and for each of said kj, 

upon said /c/being a one. adding said pair of points Py and P^ to form a new point P^ and adding said point 
P to Pi to form a new point P^. said new points replacing said pair of points Py and P^; or 
upon said kf being a zero, doubling said point P^ to form a new point Py and adding said point P to form a 
new point P^^ said new points replacing said pair of points Pf and Pg* whereby said product kP is obtained 
from said point P; in M-1 steps and wherein M represents the number of digits in k. 

27. Apparatus at a first correspondence for receiving the coordinates of a point on analgebraic curve from a second 
correspondent over a data communications link, the apparatus comprising means for receiving from the secoruJ 
correspondent a coordinate of said point. arxJ mearts for computing the or each other coordinate using the received 
coordinate and parameters of said algebraic curve. 
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